ATOMx Cooperative Identity and Authorization Layer
Start Here — by Role
| If you are… | Read in this order |
|---|---|
| Authority watch-floor user / airspace officer | Trust Model → Trust Ladder → Authorization Package → Disconnected Operations §6 |
| Drone OEM evaluating ATOMx integration | Aircraft Hardware Identity → Onboarding Manufacturers → Onboarding Aircraft → PKI |
| Operator / fleet manager | Onboarding Operators and Pilots → Flight Lifecycle → Authorization Package → Disconnected Operations |
| Pilot | Pilot Identity → Onboarding Operators and Pilots §2 → Trust Ladder |
| Authority admin / agency lead | Onboarding Authorities → Authorization Package §3 → Disconnected Operations §6 |
| Backend / platform engineer | System Design → Authorization Package → Flight Lifecycle → Threat Model |
| Security architect / FedRAMP auditor | Threat Model → PKI → Aircraft Hardware Identity → Pilot Identity → Origins and Decisions |
| Curious newcomer | Trust Model → Trust Ladder → Origins and Decisions |
How These Pages Are Organized
The PRD and reference material are split across four thematic clusters. Read top-to-bottom for a learning path; jump in by topic if you have a specific question.
Foundations — what trust means
Cryptographic substrate — how identity is rooted
Lifecycle — when each identity is established and used
Operational contexts and architecture
Provenance
Customer Facing Product Brief
A privacy-preserving airspace governance model for trusted low-altitude operations.
Today’s public broadcast identity model exposes more information than the public needs while still failing to answer the most important operational questions: Is this aircraft approved to be here? Is it operating within that approval? Who is allowed to know more if action is required?
ATOMx changes that model. It supports flight authorization services by binding verified pilot/operator identity, aircraft identity, and an approved flight plan or operating area into a cryptographically protected authorization package. That package allows authorized systems to determine whether an aircraft is operating within its approved boundaries without exposing pilot/operator identity or control-station location to the public.
The result is a cooperative identity and authorization layer for airspace governance: public users receive only limited safety and authorization signals, while authorized aviation, public safety, security, and airspace-management users can access protected details when they have a validated need to know.
Why This Matters
Low-altitude airspace cannot be governed by public identity broadcast alone. A visible identifier does not prove that a flight is approved, that the aircraft is conforming to its approval, or that the identity has not been spoofed, replayed, or misused. At the same time, broadcasting pilot/operator identity or control-station location to everyone nearby creates unnecessary privacy and security exposure.
ATOMx addresses both sides. It creates a verifiable link between aircraft, identity, and authorization while keeping sensitive details protected. The public receives a simplified trust signal. Authorized users receive operational detail through controlled access.
What ATOMx Replaces
Today, an airspace authority answering “is that drone authorized?” stitches together LAANC entries, partner phone calls, vendor counter-UAS consoles, Remote ID broadcasts, and tribal knowledge across overlapping jurisdictions. The answer rarely arrives fast enough to act on. ATOMx collapses that workflow into a single deterministic verdict on a single screen — sourced from the same structured authorization that downstream consumers (counter-UAS effectors, dispatch, partner agencies, analytics) subscribe to.
Multi-Authority Endorsement
Most flights cross more than one jurisdiction. ATOMx supports multi-authority endorsement: an Authorization Package may require signatures from federal aviation, state aviation, federal facility, and tribal authorities — each scoped to its own segment or competence. All required authorities must approve before the package issues. Operators see one queue and one outcome; authorities see only their own jurisdictions and what their peers have chosen to share. See Authorization Package §3.
How It Works (Summary)
flowchart LR
P[Pilot/Operator Identity]
A[Aircraft Identity]
O[Approved Operation]
P --> AP[Signed Authorization Package]
A --> AP
O --> AP
AP --> PT[Public Aircraft Token]
AP --> PC[Encrypted Protected Claims]
AP --> CE[Conformance Engine]
T[Telemetry] --> CE
PT --> PUB[Public View<br/>Trust State Only]
CE --> PUB
CE --> AUTH[Authorized View<br/>Conformance + Alerts]
PC -. policy-gated disclosure .-> AUTH
classDef public fill:#fff7d6,stroke:#b58900
classDef auth fill:#d6e8ff,stroke:#1f6feb
class PUB public
class AUTH auth
ATOMx binds pilot/operator identity, aircraft identity, and an approved flight plan or operating area into a signed authorization package.
A public aircraft token is generated for each authorization. This token is what the public sees instead of a permanent aircraft identifier. It answers the question “Is this operation approved?” without revealing who is flying.
Protected identity fields (pilot/operator identity, control-station location, permanent aircraft identity, mission details) are encrypted and withheld from public view. They are released only to authorized users through a policy-controlled disclosure process.
ATOMx monitors telemetry against the approved operation and produces a conformance state. Authorized users can see whether an aircraft is operating within its approval, whether it is responding to an amendment or revocation, and whether telemetry is consistent and confident.
Three separate dimensions are maintained:
| Dimension | Question Answered |
|---|---|
| Authorization State | Is the aircraft approved to do what it is doing now? |
| Identity Trust State | Can the token, credential chain, aircraft identity binding, and authorization package be validated? |
| Security Alert State | Is there evidence of spoofing, replay, duplicate token use, cloning, telemetry mismatch, or tampering? |
These are not collapsed into a single green/red signal. A cooperative aircraft may remain trusted even when its authorization is amended. The conceptual basis is in Trust Model and Design Principles; the implementation substrate is in PKI, Pilot Identity, Aircraft Hardware Identity, and Authorization Package.
Who Sees What
The public receives only a simplified trust state:
- Within Authorization — the aircraft is verifiably operating within its approved operation
- Not Within Authorization — the aircraft is verifiably not operating within its approved operation
- Not Publicly Verifiable — public cannot determine status; this does not mean unauthorized
The public does not see pilot identity, operator organization, control-station location, permanent aircraft identity, full mission details, or the approved flight plan.
What ATOMx Does
- Binds identity, aircraft, and approved operation into a cryptographically protected authorization package
- Exposes only an authorization-bound public token instead of a permanent aircraft identifier
- Keeps pilot/operator identity and control-station location encrypted and protected from public view
- Monitors telemetry against the approved operation and produces conformance state
- Separates authorization, identity trust, and security alert states
- Controls disclosure of protected fields through a policy engine
- Logs all protected disclosures for audit and accountability
- Supports connected operations (primary) and disconnected verification (architectural path)
- Provides an API-first integration model and a native operational airspace awareness interface
What ATOMx Does Not Do
- ATOMx does not make pilot/operator identity public.
- ATOMx does not expose control-station location to the public.
- ATOMx does not treat every non-publicly-verifiable aircraft as hostile.
- ATOMx does not convert every authorization change into a threat determination.
- ATOMx is not positioned as a detection or mitigation system. It strengthens airspace security by helping authorized users distinguish cooperative, authorized aircraft from aircraft that are not publicly verifiable, not operating within authorization, or presenting security alerts.
Strategic Outcome
ATOMx provides a single operational source of truth for identity, authorization, conformance, and protected disclosure within an assigned airspace. It gives public-facing systems only the information they need, gives authorized users the information they are permitted to access, and preserves the audit record needed for accountability.
This is the foundation for practical airspace governance and, ultimately, airspace sovereignty: trusted aircraft can be recognized, cooperative operators can be protected, sensitive identity data can remain private, and responsible authorities can act with confidence when an aircraft is not operating as approved.
Working Terminology
| Term | Definition |
|---|---|
| Authorization Package | Signed operational record binding pilot/operator identity, aircraft identity, and approved flight plan or operating area. |
| Public Aircraft Token | Authorization-bound token visible publicly instead of permanent aircraft identity. |
| Protected Identity Fields | Encrypted fields withheld from public view and released only through approved access. |
| Control-Station Location | Location from which the aircraft is being operated. |
| Approved Operation | Short form for approved flight plan or operating area. |
| Within Authorization | Aircraft is verifiably operating within its approved operation. |
| Not Within Authorization | Aircraft is verifiably not operating within its approved operation. |
| Not Publicly Verifiable | Public cannot determine status. This does not mean unauthorized. |
| Authorized Operational State | Detailed state available to approved users and systems. |
| Disclosure Event | Logged release of protected data to an approved user or system. |
| Protected Mission Mode | Policy-controlled mode that can generalize public location and limit public details. |
| Offline Disclosure Capsule | Compact encrypted/signature-backed payload enabling local authorized verification and later reconciliation. |
| EK Certificate | TPM Endorsement Key certificate, signed by the TPM chip manufacturer; one of the two chains in Aircraft Hardware Identity §2. |
| Drone Assembly Certificate | OEM-issued certificate binding a drone serial to a specific TPM chip’s EK public key. See Aircraft Hardware Identity §2. |
| PCR Quote | TPM-signed snapshot of Platform Configuration Registers, proving software-stack integrity. See Aircraft Hardware Identity §4. |
| Endorsement | An authority’s scoped signature on an Authorization Package. Multiple endorsements may be required per flight. See Authorization Package §3. |
| Conformance Overlay | Independent state machine separate from trust level — flags deviation from the approved operation without changing the underlying trust color. See Trust Ladder §6. |
| Public Aircraft Token | Authorization-bound rotating identifier visible to the public, replacing permanent aircraft ID. See Authorization Package §5. |
| Offline Capsule | Compact signed object pre-issued during connectivity that lets a flight be verified locally without server contact. See Disconnected Operations §4.3. |
| Protected Mission Mode | Policy-controlled mode that generalizes public location and limits public details for sensitive operations. See Trust Model §5. |